On Thursday, June 30, 2005, at 12:58 PM, James M Snell wrote:
6. If an entry contains any "enclosure" links, the digital signature
SHOULD cover the referenced resources. Enclosure links that are not
covered are considered untrusted and pose a potential security risk
Fully disagree. We are signing the bits in the document, not the
outside. There is "security risk", those items are simply unsigned.
I tend to consider enclosures to be part of the document, even if they
are included by reference. As a potential consumer of an enclosure I
want to know whether or not the referenced enclosure can be trusted.
Is it accepted to change the SHOULD to a MAY with a caveat outlining
the security risk?
Perhaps a good approach would be for the signed entry to contain a
separate signature for the enclosure--so the entry's signature would
cover the bits in the enclosure's signature, but not the bits in the
enclosure itself. That way, the signature for the entry could be
verified without having to fetch the enclosure.
Where would that signature go? Did we decide that <link> doesn't have
to be empty? If so, that might be a good place...but then I don't have
any experience with signed XML, so I don't know whether there would be
technical difficulties with putting it in any particular place.
